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Abstract 

Modular  techniques  for  automatic  verification  attempt  to  overcome  the  state-explosion 
problem  by  exploiting  the  modular  structure  naturally  present  in  many  system  designs. 

Unlike  other  tasks  in  the  verification  of  finite-state  systems,  current  modular  techniques 
rely  heavily  on  user  guidance.  In  particular,  the  user  is  typically  required  to  construct 
module  abstractions  that  are  neither  too  detailed  as  to  render  insufficient  benefits  in 
state  exploration,  nor  too  coarse  as  to  invalidate  the  desired  system  properties.  In  this 
paper,  we  construct  abstract  modules  automatically,  using  reachability  and  controlla¬ 
bility  information  about  the  concrete  modules.  This  allows  us  to  leverage  automatic 
verification  techniques  by  applying  them  in  layers:  first  we  compute  on  the  state  spaces 
of  system  components,  then  we  use  the  results  for  constructing  abstractions,  and  finally 
we  compute  on  the  abstract  state  space  of  the  system.  Our  experimental  results  indicate 
that  if  reachability  and  controllability  information  is  used  in  the  construction  of  abstrac¬ 
tions,  the  resulting  abstract  modules  are  often  significantly  smaller  than  the  concrete 
modules  and  can  drastically  reduce  the  space  and  time  requirements  for  verification. 

1  Introduction 

The  single  largest  obstacle  to  the  use  of  automatic  methods  in  system  verification  is  the 
state-explosion  problem,  w^hich  is  the  exponential  increase  in  the  number  of  system  states 
caused  by  a  linear  increase  in  the  number  of  system  components  or  variables.  Modular 
verification  techniques  attempt  to  overcome  the  state-explosion  problem  by  exploiting  the 
modular  structure  naturally  present  in  most  system  designs.  The  basic  idea  is  to  analyze 
each  module  of  the  system  separately,  perhaps  together  w^ith  an  environment  that  represents 
a  simplified  model  of  the  rest  of  the  system;  the  results  obtained  for  the  individual  modules 
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are  then  combined  into  a  single  result  about  the  compound  system.  Unlike  other  tasks  in 
the  verification  of  finite-state  systems,  which  have  been  largely  automated,  current  modular 
verification  techniques  still  rely  heavily  on  user  guidance.  Aside  from  deciding  how  to  break 
up  a  system  into  modules,  the  user  also  has  to  specify  the  environment  in  which  to  study 
each  module,  which  is  usually  a  difficult  task.  In  this  paper,  we  present  an  approach  to 
modular  verification  that  is  almost  entirely  automatic,  leaving  to  the  user  only  the  task  of 
specifying  which  variables  of  a  module  should  be  relevant  to  the  other  modules. 

For  each  concrete  module,  we  erase  some  variables  to  construct  an  abstract  module, 
which  has  a  smaller  state  space;  the  abstract  module  is  then  used  to  replace  the  concrete 
module  in  the  verification  process.  If  this  approach  is  pursued  naively,  typically  one  of 
two  things  happens.  Either  one  abstracts  only  variables  that  do  not  influence  the  prop¬ 
erty  to  be  verified,  which  is  certainly  prudent  but  more  often  than  not  leads  to  insufficient 
savings,  or  one  abstracts  variables  that  do  influence  the  desired  property,  in  which  case 
the  abstract  module  may  violate  the  property  even  though  the  concrete  module  does  not. 
We  take  the  second  route,  but  use  additional  information  about  the  concrete  module  in 
order  to  construct  more  useful  abstractions  than  could  be  achieved  by  simply  erasing  vari¬ 
ables.  In  the  most  basic  variation  of  our  method,  we  use  reachability  information  about  the 
concrete  module  when  erasing  variables  to  construct  an  abstraction.  In  a  more  advanced 
variation,  we  also  use  controllability  information  about  the  concrete  module  with  respect 
to  the  desired  property.  In  all  cases,  the  additional  information  we  use  can  be  obtained 
fully  automatically  by  looking  only  at  individual  modules  and  the  property  to  be  verified 
— there  is  no  need  to  involve  the  compound  system.  Our  experimental  results  indicate  that 
the  use  of  reachability  and  controllability  information  can  lead  to  dramatic  improvements 
in  verification:  the  resulting  module  abstractions  are  often  much  smaller  than  the  concrete 
modules  yet  still  preserve  the  desired  property. 

Our  model  of  computation  is  that  of  transition  systems  defined  over  finite  sets  of  state 
variables.  We  describe  systems  as  the  parallel  composition  of  one  or  more  modules.  A 
module  P  =  {Vp,  Ip^Tp)  consists  of  a  set  Vp  of  variables,  partitioned  into  input  and 
output  variables,  an  initial  predicate  Ip  over  Vp  defining  the  initial  states  of  P,  and  a 
transition  predicate  Tp  over  Vp  U  Vp  defining  the  possible  state  transitions  of  P  in  terms 
of  their  source  states  (over  Vp)  and  destination  states  (over  V'p  =  {x'  \  x  E  Vp}).  We 
consider  systems  consisting  of  non-blocking  modules,  in  which  every  state  has  a  successor, 
regardless  of  the  inputs  to  the  module.  The  semantics  of  parallel  composition  is  conjunction: 
P  II  <5  =  (Vp  U  Vq,Ip  A  Iq,Tp  A  Tg).  For  the  sake  of  simplicity,  in  this  paper  we  focus  on 
Moore  modules,  for  which  the  outputs  during  a  transition  depend  only  on  the  source  state  of 
the  transition.  Our  approach  can  be  adapted  with  only  minor  modifications  to  Mealy-type 
modules,  such  as  the  Reactive  Modules  of  [AH96].  We  consider  the  verification  of  invariance 
properties.  An  invariance  property  for  the  module  P  is  specified  by  an  invariant  predicate 
(f  over  Vp.  The  module  P  satisfies  the  invariant  predicate  (p,  written  P  |=  n<p,  if  P  never 
leaves  the  set  of  states  defined  by  (p. 

Consider  a  system  P  ||  Q  consisting  of  two  modules  P  and  Q,  and  a  desired  invari¬ 
ant  predicate  (p  for  P  ||  Q.  To  check  if  P  ||  Q  |=  n<p  without  constructing  the  global 
state  space  of  P  ||  Q,  we  can  remove  a  subset  Wp  C  Vp  of  the  variables  of  P  and  a 
subset  Wq  C  Vq  of  the  variables  of  Q.  Formally,  the  abstract  module  (3>Vp.P)  = 
(Vp\Wp,  3Wp  .  Ip,  3Wp3Wp  .  Tp)  is  constructed  by  existentially  quantifying  the  removed 
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variables  in  the  initial  and  transition  predicates;  we  say  that  (3  Wp.P)  is  obtained  by  erasing 
from  P  the  variables  in  Wp.  Then  we  can  attempt  to  use  the  following  standard  inference 
rule: 

(3Wp.P)||(3Wq.Q)  hay 
P\\Q\=acp 

This  rule  is  sound,  because  every  reachable  state  of  the  concrete  system  P  \\Q  corresponds 
to  a  reachable  state  of  the  abstract  system  (3  Wp.P)  ||  (BWq.Q).  The  efficiency  advantage 
of  the  rule  stems  from  the  fact  that  the  premise  involves  fewer  variables  than  the  conclusion, 
reducing  the  size  of  the  state  space  to  be  explored.  However,  the  premise  may  fail  even 
though  the  conclusion  holds,  because  there  may  be  many  reachable  states  of  the  abstract 
system  that  do  not  correspond  to  reachable  states  of  the  concrete  system.  In  fact,  it  is  often 
impossible  to  choose  suitable,  reasonable  large  sets  Wp  and  Wg,  because  modular  designs 
aggregate  naturally  within  each  module  only  closely  interdependent  variables.  By  erasing 
such  dependencies  between  variables,  the  number  of  transitions  of  the  abstract  system  grows 
quickly  to  the  point  of  violating  all  but  trivial  invariants.  Our  goal  is  to  confine  this  growth 
in  abstract  transitions  by  utilizing  additional  information  about  the  component  modules  P 
and  Q. 

More  precisely,  a  state  s  of  P  can  be  written  as  a  pair  s  =  {sa,Sw),  where  Sa  is  a  state 
over  the  set  Vp\Wp  of  variables,  and  is  a  state  over  the  set  Wp  of  erased  variables. 
The  abstract  module  (3  Wp.P)  contains  a  transition  from  source  state  Sa  to  destination 
state  sjj  iff  the  concrete  module  P  contains  a  transition  from  (s^,  Sw)  to  (sjj,  s'^)  for  some 
and  s'^.  As  a  first  improvement,  we  can  include  a  transition  from  Sa  to  in  the  abstract 
module  only  if,  for  some  and  there  is  a  transition  from  {sa,Sw)  to  (Sa,s^)  in  the 
concrete  module  and  the  state  {sa,Sw)  is  reachable  in  the  concrete  module.  This  is  because 
it  is  certainly  not  useful  to  include  abstract  transitions  that  have  no  reachable  concrete 
counterparts.  To  this  end,  we  compute  a  predicate  Rp  over  Vp  that  defines  the  reachable 
states  of  P.  The  predicate  Rp  can  be  computed  using  standard  state-space  exploration 
(symbolic  or  enumerative) .  Our  experiments  based  on  symbolic  methods  indicate  that  this 
computation  is  efficient,  since  the  module  P  is  considered  in  isolation.  From  the  predicate 
Rp  we  construct  the  module  (P&Pp)  =  {Vp^Ip^Tp  A  Pp),  which  is  like  P,  except  that 
it  allows  only  transitions  from  reachable  states.  After  erasing  the  variables  in  Wp,  we 
obtain  the  abstract  module  (3  Wp.(P&Pp)).  In  a  similar  way,  we  compute  the  reachability 
predicate  Rq  for  Q  and  construct  the  abstract  module  (3  Wq.(Q&Pq)).  To  complete  the 
verification  process,  we  then  use  the  following  rule: 

(3Wp.(PfcPp))||(3Wg.(gfcPg))  |=  Dy 

P||Q  h  ay 

Since  the  systems  P  ||  Q  and  (P&Pp)  ||  (Q&Pg)  have  the  same  reachable  states,  rule  (2) 
is  sound.  As  we  shall  see,  unlike  the  simplistic  rule  (1),  the  improved  rule  (2)  can  often  be 
successfully  applied  even  when  the  sets  Wp  and  Wg  include  variables  that  contribute  to 
ensure  the  invariant  cp.  Yet  the  savings  in  checking  the  premise  of  rule  (2)  are  just  as  great 
as  those  for  checking  the  premise  of  the  earlier  rule  (1),  because  the  same  sets  of  variables 
are  erased.  In  other  words,  (3  Wp.(P&Pp))  ||  (3  Wg.(g&Pg))  is  a  more  accurate  but  no 
more  detailed  abstraction  of  P||  Q  than  is  (3  Wp.P)  ||  (3Wg.g).  In  our  experiments  we 
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shall  obtain  dramatic  results  by  applying  rule  (2)  with  the  simple  heuristics  of  erasing  those 
variables  that  are  not  involved  in  the  communication  between  P  and  Q.  While  reachability 
information  is  often  used  in  algorithmic  verification,  the  novelty  of  rule  (2)  consists  in  the 
use  of  such  information  for  the  modular  construction  of  abstractions. 

The  effectiveness  of  a  rule  such  as  (1)  or  (2)  is  directly  related  to  the  number  of  variables 
that  can  be  erased  in  a  successful  application  of  the  rule.  Rule  (2)  improves  on  rule  (1) 
by  using  reachability  information  about  the  individual  modules  in  the  construction  of  the 
abstractions,  which  usually  permits  the  erasure  of  more  variables.  It  is  possible  to  further 
improve  on  the  rule  (2)  by  using,  in  addition  to  reachability  information,  also  information 
about  the  controllability  of  the  individual  modules  with  respect  to  the  specification  Uip. 
This  improvement  is  based  on  the  following  observation.  The  predicate  Rp  used  in  (2) 
defines  the  reachable  states  of  P  when  P  is  in  a  completely  general  environment.  However, 
the  module  P  may  exhibit  anomalous  behaviors  in  a  completely  general  environment;  in 
particular,  more  states  may  be  reachable  under  a  completely  general  environment  than  un¬ 
der  the  specific  environment  provided  by  Q.  Of  course,  we  do  not  want  to  compute  the 
reachable  states  of  P  when  P  is  composed  with  Q:  doing  so  would  require  the  exploration 
of  the  state  space  of  the  global  system  P  ||  Q,  which  is  exactly  what  our  modular  verification 
rules  try  to  avoid.  To  study  the  module  P  under  a  suitable  confining  environment,  while 
still  avoiding  the  exploration  of  the  global  state  space,  we  consider  the  module  P  in  the 
most  general  environment  E  that  ensures  the  invariant  ip]  that  is,  E  is  the  least  restrictive 
module  such  that  P  ||  P  |=  Uip.  In  practice,  we  need  not  construct  E  explicitly,  but  compute 
only  the  predicate  Dp  that  defines  the  set  of  reachable  states  of  P  ||  P.  Since  P  is  more 
restrictive  than  the  completely  general  environment,  the  predicate  Dp  is  stronger  than  Pp, 
and  the  implication  Dp  Rp  holds.  The  algorithm  for  computing  Dp  follows  from  the 
standard  game-theoretic  algorithm  for  computing  the  set  of  states  of  the  module  P  that 
are  controllable  with  respect  to  the  invariant  ip]  it  can  be  implemented  symbolically  or  enu- 
meratively,  with  a  time  complexity  that  is  linear  in  the  size  of  the  state  space  of  P  [BeeSO] . 
This  leads  to  the  following  modular  verification  rule: 

{Ip  A  Iq)  — >■  {Dp  A  Dq) 

P||(3Wq.(Q&Pq))  H  ^Dp 
Q||(3Wp.(P&Pp))  H  ^Dq 
P II  <3  1=  Uip 

where  Wp  C  Vp  and  Wg  C  Vq.  The  soundness  of  this  rule  depends  on  an  inductive 
argument,  and  it  will  be  proved  in  detail  in  the  paper.  Essentially,  the  first  premise  ensures 
that  the  modules  P  and  Q  are  initially  in  states  satisfying  Dp  A  Dq.  The  second  premise 
shows  that,  as  long  as  Q  does  not  leave  the  set  defined  by  Pg,  the  module  P  will  not  leave 
the  set  defined  by  Dp]  the  third  premise  is  symmetrical.  As  the  implications  Dp  — >■  ip 
and  Dq  ip  hold,  the  three  premises  lead  to  the  conclusion.  The  rule  is  in  fact  closely 
related  to  inductive  forms  of  assume-guarantee  reasoning  [Sta85,  AL95,  AH96,  McM97]. 
The  use  of  the  stronger  predicates  Dp  and  Dq  in  the  second  and  third  premises  of  the 
rule  (3)  potentially  enables  the  erasure  of  more  variables  compared  to  the  earlier  rule  (2). 
However,  in  rule  (3)  this  erasure  can  take  place  only  on  one  side  of  the  parallel  composition 
operator  or,  in  the  case  of  multi-module  systems,  for  all  modules  but  one. 


(3) 
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While  automatic  approaches  to  the  construction  of  abstractions  for  model  checking  have 
been  proposed,  for  example,  in  [Kur94,  Dam96,  GS97,  CC99],  these  approaches  do  not  ex¬ 
ploit  reachability  and  controllability  information  in  a  modular  fashion.  In  particular,  instead 
of  the  standard  principle  “first  abstract,  then  model  check  the  abstraction,”  our  approach 
follows  the  more  refined  principle  “first  model  check  the  components,  then  use  this  informa¬ 
tion  to  abstract,  then  model  check  the  compound  abstraction.”  In  this  way,  our  modular  ver¬ 
ification  rules  are  doubly  geared  towards  automatic  verification  methods:  state-space  explo¬ 
ration  is  used  both  to  compute  the  reachability  and  controllability  predicates,  and  to  check 
all  temporal  premises  (those  which  contain  the  |=  operator) .  It  is  worth  pointing  out  that 
nontemporal  premises  would  result  in  rules  that  are  considerably  less  powerful.  For  example, 
suppressing  variable  erasures,  the  temporal  premise  (P&i?p)  ||  (Q&iRq)  \=  Uip  of  rule  (2) 
is  weaker  than  the  two  nontemporal  premises  Ip  AIq  ^  (p  and  p  A  Rp  A  Tp  A  Rq  ATq  ^  p' 
would  be  (here,  p'  results  from  p  by  replacing  all  variables  with  their  primed  versions). 
Similarly,  the  second  premise  of  rule  (3)  is  weaker  than  the  two  nontemporal  premises 
Ip  A  Iq  ^  Dq  A  Dp  and  Dp  A  Tp  A  Dq  A  Tg  — >■  D'p  would  be.  It  is  easy  to  find  examples 
where  our  temporal  premises  apply,  but  their  nontemporal  counterparts  do  not. 

The  outline  of  the  paper  is  as  follows.  After  introducing  preliminary  definitions  in 
Section  2,  we  develop  the  technical  details  of  the  proposed  modular  verification  rules  in 
Section  3.  The  verification  rules  have  been  implemented  on  top  of  the  Mocha  model 
checker  [AHM+98],  using  BDD-based  fixpoint  algorithms  for  the  computation  of  the  reach¬ 
ability  and  controllability  predicates.  In  Section  4  we  discuss  the  implementation  of  the 
verification  rules,  and  we  describe  the  script  language  we  devised  in  order  to  be  able  to 
experiment  efficiently  with  various  modular  verification  techniques.  In  Section  5  we  present 
experimental  results  for  three  examples:  a  demarcation  protocol  used  to  maintain  the  con¬ 
sistency  between  distributed  databases  [BGM92],  a  token-ring  arbiter,  and  a  sliding-window 
protocol  for  data  communication  [Hol91].  We  conclude  the  paper  with  some  insights  gath¬ 
ered  in  the  course  of  the  experimentation  with  the  proposed  verification  rules. 

2  Modules 

Given  a  set  V  of  typed  variables  with  finite  domain,  a  state  s  over  V  is  an  assignment  for 
V  that  assigns  to  each  x  E  V  a  value  s|a;].  We  also  denote  by  V'  =  {x'  |  x  E  V}  the  set 
obtained  by  priming  each  variable  in  V.  Given  a  predicate  H  over  V,  we  denote  by  H' 
the  predicate  obtained  by  replacing  in  H  every  x  E  V  with  x'  E  V .  Given  a  set  A  and 
an  element  x,  we  often  write  A\a;  for  A\{a;},  when  this  generates  no  confusion.  A  module 
P  =  {Cp,£p,Ip,Tp)  consists  of  the  following  components: 

1.  A  (finite)  set  Cp  of  controlled  variables,  each  with  finite  domain,  consisting  of  the 
variables  whose  values  can  be  accessed  and  modified  by  P. 

2.  A  (finite)  set  £p  of  external  variables,  each  with  finite  domain,  consisting  of  the 
variables  whose  values  can  be  accessed,  but  not  modified,  by  P. 

3.  A  transition  predicate  Tp  over  Cp  U  £p  UCp. 

4.  An  initial  predicate  Ip  over  Cp. 
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We  denote  by  Vp  =  CpU  £p  the  set  of  variables  mentioned  by  the  module.  Given  a  state 
s  over  Vp,  we  write  s  |=  /p  if  Ip  is  satisfied  under  the  variable  interpretation  specified  by 
s.  Given  two  states  over  Vp,  we  write  {s,s')  |=  Tp  if  predicate  Tp  is  satisfied  by  the 
interpretation  that  assigns  to  x  E  Vp  the  value  and  to  x'  E  Vp  the  value  s' lx].  A 

module  P  is  non-blocking  if  the  predicate  Ip  is  satisfiable,  i.e.,  if  the  module  has  at  least 
one  initial  state,  and  if  the  assertion  VVp .  3Cp .  Tp  holds,  so  that  every  state  has  a  successor. 
A  trace  of  module  P  is  a  finite  sequence  of  states  sq,  si,  S2,  . . .  s„  E  States{Vp),  where  n  >  0 
and  {sk,Sk-\-i)  |=  Tp  for  all  0  <  A:  <  n;  the  trace  is  initial  if  sq  |=  Ip-  Two  modules  P  and 
Q  are  composable  if  CpClCq  =  0;  in  this  case,  their  parallel  composition  P  ||  Q  is  defined  as: 

P  II  <5  =  (Cp  U  Cq,  {£p  U  £q)\{Cp  U  Cq),Ip  A  Iq^Tp  A  Tq'^  . 

Given  a  module  P  and  a  predicate  H  over  Vp,  we  denote  by 

{PkH)  =  (Cp,  SpJpA  P,  Tp  A  P) 

the  module  like  P,  except  that  only  transitions  from  states  that  satisfy  P  are  allowed. 
Given  a  module  P  and  a  set  >V  of  variables,  we  let 

(3  W.P)  =  (Cp\W,  £p\W,  3W  .  Ip,  3W,  W  .  Tp) 

be  the  module  obtained  by  erasing  the  variables  W  in  P.  Note  that  the  module  (P  &  P)  can 
be  blocking  even  if  module  P  is  non-blocking.  On  the  other  hand,  the  parallel  composition  of 
non-blocking  modules  is  non-blocking,  and  a  module  obtained  from  a  non-blocking  module 
by  erasing  variables  is  also  non-blocking. 

A  state  of  a  module  P  is  reachable  if  it  appears  in  some  initial  trace  of  P.  We  denote  by 
Reach  (P)  the  predicate  defining  the  reachable  states  of  P;  this  predicate  can  be  compute 
using  standard  state-space  exploration  techniques  [CES83].  Given  a  module  P  and  a  predi¬ 
cate  (f,  the  relation  P  |=  Uip  holds  iff  the  implication  Reach{P)  — >■  (,0  is  valid.  In  this  paper, 
we  present  modular  techniques  for  verifying  whether  the  relation  Pi  ||  •  •  •  ||  P„  |=  Wp  holds, 
where  Pi,  P2,  . . . ,  P„  are  composable  modules,  for  n  >  0,  and  where  p  is  defined  over  the 
set  of  variables  Ur=i^A-  This  verification  problem  is  known  as  the  invariant  verification 
problem,  and  it  is  one  of  the  most  basic  problems  in  formal  verification. 

3  Modular  Rules  for  Invariant  Verification 

In  this  section,  we  present  three  modular  rules  for  the  verification  of  invariants;  the  rules 
are  presented  in  order  of  increasing  sophistication,  and  of  increasing  ability  of  successfully 
erasing  variables.  The  first  rule  is  a  standard  rule  based  on  the  construction  of  abstract 
modules: 

(3Wi.Pi)||  •••  ||(3W„.P„)  hDT 

- - ; -  (4) 

Pi  II  •  •  •  II  P„  H  DT 

The  second  rule  is  derived  from  the  above  rule,  by  using  in  the  construction  of  the  abstract 
modules  also  information  about  the  reachable  states  of  the  concrete  modules.  The  third 
rule  constructs  the  abstract  modules  using  both  reachability  and  controllability  information 
about  the  concrete  modules. 
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3.1  Reachability-based  abstractions 

In  order  to  improve  the  ability  of  rule  (4)  to  successfully  erase  variables,  we  construct  the 
abstract  modules  using  reachability  information  about  the  concrete  modules.  Hence,  we 
formulate  the  following  modular  verification  rule: 

{3Wi.{PikReach{Pi)))\\  •••  \\  {3Wn.{Pnk  Reach{Pn)))  h 
Pl\\---\\Pn\= 

This  rule  is  sound.  The  rule  is  also  complete,  since  whenever  the  conclusion  holds,  the 
premise  also  does,  with  the  choice  Wi  =  •  •  •  =  Wn  =  0.  Our  experiments  indicated  that 
rule  (5)  is  often  surprisingly  effective  in  enabling  the  successful  erasure  of  variables,  leading 
to  dramatic  savings  in  the  space  and  time  requirements  of  verification.  We  illustrate  this 
with  an  example. 

Example  1  This  example  is  a  simplified  version  of  the  token-ring  example  presented 
in  Section  5.  Consider  a  system  composed  of  two  modules  P  and  Q  that  circulate  a 
token  through  a  4-phase  handshake  protocol.  The  module  P  has  controlled  variables 
Cp  =  {grant acki^xi^yi^  Cl}  and  external  variables  £p  =  {grant2,ack2}-  All  variables 
are  boolean,  except  for  ci  that  has  domain  {0, 1,2,3}.  The  module  Q  is  defined  similarly, 
except  that  the  subscripts  1  and  2  are  exchanged.  Intuitively,  grant2  and  acki  form  the 
handshake  that  passes  a  token  from  Q  to  P.  Once  the  token  arrives  into  P,  it  is  stored  first 
in  xi,  then  in  yi.  The  handshake  variables  grant i  and  ack2  are  used  to  pass  the  token  back 
to  Q.  The  variable  ci  is  an  auxiliary  variable  that  records  the  number  of  tokens  in  P.  The 
initial  condition  of  P  is  Ip  :  -lacki  A  -<granti  A  xi  A  -lyi  A  (ci  =  0);  the  initial  condition  of 
Q  is  Iq  :  -iack2  A  -<grant2  A  -1x2  A  ->^2  A  (c2  =  0),  so  that  the  token  is  initially  in  xi-  We 
present  the  transition  predicate  of  P  in  guarded-commands  notation,  with  the  convention 
that  the  values  of  the  variables  not  mentioned  in  the  assignments  are  not  modified,  and  that 
the  command  to  be  executed  is  chosen  nondeterministically  among  those  whose  guards  are 
true: 


I  grant2  A  ^acki  A  -<xi 
j  -igrant2  A  acki 

I  xi  A  ^yi 

j  -igranti  A-<ack2  Ayi 
I  granti  A  ack2 

I  T 


ack'i  :=  t;  x}  :=  T;  c}  :=  (ci  4-  1)  mod  4 

ack'i  :=  F 

x'l  ■■=  F;  y'l  :=  T 

grant}  :=  T;  y}  :=  F;  c}  :=  (ci  —  1)  mod  4 
grant}  :=  F 


The  transition  predicate  of  Q  is  identical,  except  that  the  subscripts  1  and  2  are  exchanged. 
The  invariant  is  (p  :  [(ci  +  C2)  mod  4  <  2],  and  states  that  there  is  at  most  one  token.  To 
verify  that  P  ||  Q  |=  we  can  apply  rule  (5)  with  sets  of  erased  variables  Wp  =  {xi,yi} 
and  Wq  =  {x2Ty2}-  Hence,  we  are  able  to  erase  all  the  variables  that  are  not  used  for 
communication,  and  that  do  not  appear  in  the  invariant.  The  intuition  is  that,  once  the 
value  of  Cl  is  known,  the  predicate 

Reach{P)  :  ^ci  =  0  A  ^xi  A  -lyij  V  ^ci  =  1  A  {xi  ^  yi)  j  V  ^ci  =  2  A  xi  A  X2^ 
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provides  sufficient  information  about  the  possible  values  of  the  erased  variables  xi  and  yi 
to  enable  an  accurate  computation  of  the  successor  states.  In  contrast,  rule  (4)  does  not 
enable  the  erasure  of  any  variables.  I 

3.2  Controllability  and  reachability-based  abstractions 

Consider  an  instance  Pi  ||  •  •  •  ||  P„  |=  of  the  invariant  verification  problem,  for  n  >  1. 
As  mentioned  in  the  introduction,  the  predicate  Reach  (Pi)  defines  the  reachable  states 
of  module  Pj  when  the  module  Pi  is  in  a  completely  arbitrary  environment,  for  1  <  i  <  n. 
However,  a  module  may  have  many  more  reachable  states  when  composed  with  a  completely 
arbitrary  environment,  than  when  composed  with  the  other  modules  of  the  system.  To 
obtain  more  precise  predicates,  we  consider  the  states  of  Pj  that  are  reachable  under  the 
most  general  environment  under  which  Pi  satisfies  the  specification  n<p,  for  1  <  ?  <  n.  The 
idea  is  that,  if  the  system  has  been  properly  designed,  then  the  actual  environment  of  Pj  is 
a  special  case  of  this  most  general  environment. 

An  environment  for  a  module  P  is  a  non-blocking  module  E  composable  with  P.  Given 
a  module  P  and  a  predicate  (p,  we  denote  by  Envs{P)  the  set  of  all  environments  of  P,  and 
we  let  EnvSip{P)  =  {E  E  Envs{P)  |  P  ||  P  |=  the  set  of  environments  of  P  under  which 
the  specification  Uip  holds.  We  define 

CR{P,  ip)  =  MEeEnvs^iP)  3(V£;\Vp)  .  Reach{P  ||  E) 

with  the  convention  that  CR{P,(p)  =  F  if  EnvS(p{P)  =  0.  The  predicate  CR{P,(p)  defines 
the  set  of  states  of  P  that  can  be  reached  when  P  is  composed  with  an  environment  under 
which  Uip  holds.  Denote  by  the  variables  occurring  in  ip.  The  following  proposition  gives 
some  additional  properties  of  the  predicate  CR{P,ip). 

Proposition  1  Given  a  non-blocking  module  P  and  a  predicate  ip,  the  following  assertions 
hold. 

1.  There  is  an  environment  E  E  Envs^{P)  with  Vp  =  Vp  U  such  that 
CR{P,ip)  =  3(V^\Vp)  .  Reach {P  ||  P). 

2.  The  implications  CR{P,ip)  — >■  3(V^\Vp)  .  ip  and  CR{P,ip)  — >■  Reach{P)  hold. 

Regarding  the  second  assertion,  note  that  in  the  introduction  we  implicitly  assumed  C 
Vp.  for  1  <  ?  <  n  for  the  sake  of  simplicity,  while  here  we  are  only  assuming  the  weaker 
V(p  C  {Ji-i  Vp^.  We  can  then  formulate  the  verification  rule: 

fiUlPi  ^  fiUCR{PuT) 

m  (||,e{i,...,„}v(3W,.(P,&PP(P,,  l<^<n 

Pi  II  •  •  •  II  Pn  H 

In  the  second  premise  of  this  rule,  for  1  <  ?  <  n,  we  cannot  erase  variables  of  Pj.  In 
fact,  the  predicate  CR{Pi,ip)  on  the  right  hand  side  of  |=  involves  most  of  the  variables  in 
Pi,  preventing  their  erasure.  In  the  experiments  described  in  Section  5,  the  systems  were 
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composed  of  two  modules,  and  rule  (5)  performed  better  than  rule  (6),  since  in  rule  (5)  the 
variables  could  be  erased  in  both  the  composing  modules.  In  systems  composed  of  many 
modules,  it  is  conceivable  that  the  advantage  derived  from  using  the  stronger  predicates 
of  rule  (6)  in  all  modules  but  one,  thus  possibly  erasing  more  variables,  outweighs  the 
disadvantage  of  not  being  able  to  erase  variables  in  one  of  the  modules. 

Proposition  2  Rule  (6)  is  sound.  If  Pi,  . . . ,  Pn  are  non-blocking,  rule  (6)  is  also  com¬ 
plete:  if  the  conclusion  holds,  then  the  premises  also  hold  for  Wi  =  •  •  •  =  Wn  =  0- 

Proof.  It  suffices  to  consider  the  case  Wi  =  •  •  •  =  Wn  =  0-  To  show  that  the  rule  is  sound, 
we  assume  that  its  premises  hold,  and  we  prove  by  induction  on  A:  >  0  that,  if  sq,  •  ■  • , 
is  an  initial  trace  of  Pi  ||  •  •  •  ||  P„,  then  Sj  |=  CR{Pj,  ip)  for  all  0  <  «  <  A:  and  1  <  j  <  n. 
The  base  case  follows  from  the  first  premise  of  (6).  For  the  induction  step,  assume  that 
the  assertion  holds  for  k,  and  consider  the  assertion  for  A:  +  1  for  any  j,  with  1  <  j  <  n. 
The  trace  sqi  ■  5  is  an  initial  trace  of  Pj  ||  {Pj  ^  PP-{Pj ^  Hence, 

we  have  that  |=  CR{Pj,ip),  completing  the  induction  step.  From  C  [Ji-lVp^  and 
from  Proposition  1,  part  2,  we  have  that  the  implication  {/\f-i  CR{Pi,ip))  — >■  ip  holds. 
This  implication,  together  with  the  conclusion  of  the  induction  proof,  leads  to  the  desired 
result.  The  completeness  of  the  rule  follows  by  noticing  that  if  Pi  ||  •  •  •  ||  Pn  |=  □‘A’,  then  by 
definition  of  CR{-,ip)  we  have  Pi  ||  •  •  •  ||  Pn  |=  U{CR{Pi,ip)  A  ■  ■  ■  A  CR{Pn,  ip))-  I 

To  compute  the  predicate  CR{P,ip)  given  P  and  ip,  we  proceed  in  two  steps.  First,  we 
compute  the  predicate  Ctr{P,ip)  defining  the  set  of  states  from  which  P  is  controllable 
with  respect  to  the  safety  property  Uip.  The  predicate  Ctr{P,ip)  can  be  computed  with  a 
standard  controllability  algorithm  [TW68,  BeeSO,  RW87]. 

Algorithm  1 

Input:  Module  P  and  predicate  ip. 

Output:  Predicate  Ctr{P,ip)  over  Vp. 

Initialization:  Let  T  =  V^\Vp  and  Uq  =  3P .  ip. 

Repeat:  For  A:  >  0,  let  Uk+i  =  Uk  A  3(£'p  U  P')  .  'iC'p  .  {Tp  — >■  (P^  A  ip')). 

Until:  Uk+i  =  Uk- 
Return:  Uk. 

The  algorithm  computes  a  sequence  Uo,Ui,U2, . . .  of  increasingly  strong  predicates.  For 
A:  >  0,  predicate  Uk  defines  the  states  from  which  it  is  possible  to  control  P  to  satisfy 
predicate  ip  for  at  least  A:  +  1  steps;  note  that  the  implication  Uk  — >■  3P .  ip  holds  for  A:  >  0. 
At  each  iteration  A:  >  0,  the  algorithm  lets  Uk+i  define  the  set  of  states  from  which  the 
environment  can  choose  the  next  value  for  the  external  variables,  so  that  for  all  choice  of 
the  controlled  variables,  the  successor  states  of  the  transitions  satisfy  Uk.  The  following 
algorithm  computes  the  predicate  CR{P,ip),  using  the  previous  algorithm  as  a  subroutine. 
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Algorithm  2 

Input:  Module  P  and  predicate  cp. 

Output:  Predicate  CR{P,(p)  over  Vp. 

Initialization:  Let  T  =  V^\Vp,  and  Vq  =  Ip  h  3^.  VCp  .  {ip  — >■  {Ctr{P,ip)  A  <^)j. 
Repeat:  For  A:  >  0,  let 

n'+i  =  Vk  V  3Vp  .  [Vk  ATpA  3P' .  Wp  .  (Pp  ^  {Ctr'{P,  ip)  A  (^))]  . 

Until:  14+1  =  14. 

Return:  14- 

For  each  A:  >  0,  the  predicate  I4  over  Vp  defines  the  set  of  states  of  P  that  can  be  reached 
in  k  or  less  steps  when  P  is  composed  with  an  environment  E  such  that  P  ||  Fi  |=  Uip.  To 
understand  how  this  predicate  is  computed,  note  that  the  predicate  VCp .  (Ip  — >■  ( Ctr{P,  ip)  A 
ip))  defines  the  set  of  initial  valuations  for  the  variables  in  Cp  U  P  that  are  safe  for  the 
environment:  if  one  such  valuation  is  chosen  by  the  environment,  the  system  will  start  in  a 
controllable  state  that  satisfies  ip^  regardless  of  the  valuation  for  the  controlled  variables  in 
Cp  chosen  by  the  module  P.  The  iteration  step  follows  a  similar  idea.  If  I4  defines  the  set 
of  current  states,  then  the  formula  Ki  :  3Vp .  (VkATp)  over  Cp  defines  the  valuations  for  the 
controlled  variables  that  can  be  chosen  by  P  for  the  following  state.  The  environment  must 
choose  a  valuation  for  the  variables  in  Cp  UP'  that  ensures  that,  regardless  of  the  valuation 
for  Cp  chosen  by  the  module,  the  successor  state  satisfies  Ctr'{P,ip)  A  ip.  If  I4  defines  the 
set  of  current  states,  the  set  of  such  valuations  for  Cp  U  P'  is  defined  by  the  formula 

K2  :  3Vp  .  VC^  .  [{Vk  ATp)^( Ctr'iP,  ip)  A  ip)). 

It  is  then  easy  to  see  that  the  iteration  step  of  Algorithm  2  can  be  written  simply  as 
14^_l_^  =  Ki  A  3P' .  iC2,  so  that  Ki  constrains  the  next  valuation  of  the  controlled  variables, 
and  3P'  .  constrains  the  next  valuation  of  the  external  variables.  Algorithms  1  and  2 
can  be  implemented  enumeratively  or  symbolically,  and  they  have  running  time  linear  in 
\States(yp  yJV(p)\.  In  the  next  example,  we  see  how  rule  (6)  can  enable  the  erasure  of 
variables  that  could  not  be  erased  with  rule  (5). 

Example  2  Consider  the  verification  problem  Pi  ||  P2  |=  nip^  where  the  invariant  is 
ip  :  -izi  A  -1Z2.  The  modules  have  variables  Cp.  =  {xi,yi,Zi}  and  Cp.  =  {x2-i,  Z2-i},  for 
1  <  ?  <  2;  all  the  variables  are  boolean.  Module  Pi  has  initial  predicate  Ipj  :  -iXiA-iyiA-iZi, 
and  has  transition  predicate  Tp^  :  [x'l  =  Z2]  A  [(-ixi  A  -1X2)  — >■  {y'l  =  yi)]  A  [-lyi  — >■  {z'l  =  ^ri)]. 
Module  P2  is  defined  in  a  symmetrical  fashion.  Informally,  module  Pi  behaves  as  follows. 
Initially,  all  variables  are  false.  At  each  step,  the  new  value  for  xi  is  the  old  value  of  Z2. 
If  xi  V  X2  holds,  then  yi  can  change  value;  otherwise,  it  retains  its  previous  value.  If  yi  is 
true,  then  zi  can  change  value;  otherwise,  it  retains  its  previous  value.  It  is  easy  to  check 
that  Pi  II  P2  1=  Uip  holds. 

Consider  module  Pi.  The  states  where  ^ri  =  T  or  ^r2  =  T  are  obviously  not  controllable. 
The  states  where  yi  =  T  are  also  not  controllable,  since  from  these  states  module  Pi  can 
reach  a  state  where  zi  =  regardless  of  the  values  of  the  external  variables  X2  and  Z2. 
Likewise,  the  states  where  xi  =  T  or  0:2  =  T  are  not  controllable,  since  from  these  states  the 
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module  can  reach  a  state  where  yi  =  T  regardless  of  the  values  of  the  external  variables.  The 
only  controllable  (and  reachable)  state  of  Pi  is  thus  defined  by  the  predicate  CR{Pi,(p)  : 
-ixi  A  -lyi  A  -izi  A  -1x2  A  -iZ2-  Predicate  C'P(P2,  cp)  is  defined  in  a  symmetrical  fashion.  The 
reachability  predicates  are  given  simply  by  Reach{Pi)  :  T  and  Reach{P2)  :  T. 

Rule  (6)  can  be  applied  by  taking  Wi  =  W2  =  In  fact,  the  composite  module 

Pi  II  (3W2.(P2&  CR{P2,<p)))  admits  only  the  initial  traces  consisting  of  repetitions  of  the 
state  \xi  =  F,yi  =  F,  ^ri  =  F,  a;2  =  F,^r2  =  f]-  This  shows  that  the  first  premise  holds; 
the  case  for  the  second  premise  is  symmetrical.  On  the  other  hand,  no  variable  can  be 
successfully  erased  using  rule  (5).  In  fact,  if  we  erase  variable  ^2,  then  the  right  hand 
side  exhibits  the  initial  trace  so,si,  where  sq  ^  {xi  =  F,yi  =  F,^ri  =  F,a;2  =  F,^r2  =  f] 
and  si  :  [xi  =  F,yi  =  F,  ^ri  =  F,a;2  =  F,  ^r2  =  t].  This  trace  is  possible  because  the  state 
to  :  {xi  =  F,  ^ri  =  F,  X2  =  F,y2  =  T,  Z2  =  f]  over  Vp^  is  reachable,  and  hence  it  satisfies 
Reach{P2)i  and  agrees  with  sq  on  the  shared  variables.  The  trace  is  then  a  consequence  of 
the  transition  from  to  to  ti  :  [xi  =  F,  ^ri  =  F,  X2  =  F,  y2  =  T,  Z2  =  t]  in  P2.  A  similar  argument 
shows  that  it  is  not  possible  to  erase  the  variable  X2-  ■ 


4  Implementation  of  the  Verification  Rules 

We  have  implemented  the  algorithms  described  in  this  paper  in  the  verification  tool  Mocha 
[AHM+QS].  Mocha  is  an  interactive  verification  environment  and  it  enables,  among  other 
things,  the  verification  of  invariants  using  both  enumerative  and  symbolic  techniques;  for 
the  latter,  it  relies  on  the  BDD  package  and  image  computation  engine  provided  by  VIS 
[BHSV“’“96],  which  we  used  in  our  implementation. 

One  important  technique  we  use  in  the  implementation  of  the  rules  is  that,  instead 
of  computing  the  abstract  modules  explicitly,  we  compute  them  implicitly.  The  idea  is  as 
follows:  suppose  we  are  computing  the  reachable  states  of  (3  Wp.P)  ||  (3  Wq.Q).  A  straight¬ 
forward  algorithm  would  be  to  first  compute  the  two  abstract  modules,  and  then  compute 
the  reachable  states  of  their  composition.  This  is  very  inefficient  in  terms  of  the  usage 
of  space.  Transition  relations  are  usually  presented  as  a  list  of  conjuncts  rather  than  as 
a  single,  larger  conjunct.  The  explicit  computation  of  the  abstract  modules  would  imply 
conjoining  all  the  transition  relations  and  building  a  monolithic  one:  if  represented  as  a 
BDD,  such  a  monolithic  conjunct  would  often  be  prohibitively  large.  Instead,  we  quantify 
away  the  erased  variables  of  the  abstract  modules  only  when  necessary,  as  for  example  in  the 
computation  of  the  reachable  states.  For  instance,  we  use  the  following  symbolic  algorithm 
to  compute  the  reachable  states  of  the  parallel  composition  of  two  abstract  modules: 

Algorithm  3 

Input:  Modules  P  and  Q,  and  variables  Wp  C  Vp\Cq  and  Wq  C  Vq\Cp. 

Output:  Reach{{BWp.P)  \\  (BWq.Q)). 

Initialization:  Let  Uq  =  3(>Vp  U  Wq)  .  {Ip  A  Iq). 

Repeat  For  A:  >  0,  let  V  3(Vp  U  Vg  U  Wp  U  Wq)  .  {Uh  A  Tp  A  Tq). 

Until  Uk+i  =  Uk- 

Return:  Uk- 
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In  the  body  of  the  loop,  we  rely  on  the  early  quantification  algorithm  in  VIS  to  keep 
the  intermediate  BDDs  small.  With  this  scheme,  a  monolithic  transition  relation  is  never 
built.  In  particular,  our  implementation  represents  abstract  modules  as  pairs  consisting  of 
a  concrete  module  and  of  a  list  of  variables  that  have  been  erased  from  it;  such  pairs  are 
called  extended  modules. 

In  order  to  experiment  with  the  verification  rules  proposed  in  this  paper,  we  implemented 
a  simple  script  language,  called  si,  built  on  top  of  Mocha  and  based  on  the  Tcl/Tk  API. 
The  algorithms  and  methodologies  described  in  this  paper  provide  the  theoretical  basis  of 
the  commands  provided  by  si.  The  verification  rules  proposed  in  this  paper  can  be  imple¬ 
mented  as  si  scripts,  and  the  language  si  provides  invaluable  flexibility  for  experimenting 
with  alternative  forms  of  the  rules.  An  example  of  script  is  the  following,  which  verifies  the 
correctness  of  the  demarcation  protocol  using  rule  (5)  (the  demarcation  protocol  is  described 
in  Section  5.1). 


read_module 

sl_em 

sl_reach 

sl_reach 

sl_restrict 

sl_erase 

sl_reach 

sl_restrict 

sl_erase 

sl_compose 

sl_checkinv 


demarc . rm 
P  Q  Spec 

phi  em_Spec  s 
rp  em_P  s 
Prest  rp  em_P 

Pabs  Prest  P/xw  P/xr  P/reql  P/grantl  P/req2  \ 
P/graiit2  P/xlupdl  P/xlupd2  P/busy 

rq  em_Q  s 
Qrest  rq  em_Q 

Qabs  Qrest  Q/xw  Q/xr  Q/reql  Q/grantl  Q/req2  \ 
Q/graiit2  Q/xlupdl  Q/xlupd2  Q/busy 
Rabs  Pabs  Qabs 
Rabs  phi  s 


The  command  readjnodule  parses  the  file  demarc. rm,  containing  the  declarations  of  the 
modules  P  and  Q,  composing  the  protocol,  and  Spec,  whose  reachable  states  constitute 
the  invariant.  The  command  sl_em  P  Q  Spec  builds  the  extended  modules  em_P,  em_Q, 
and  em_Spec  from  P,  Q,  and  Spec;  of  course,  these  extended  modules  have  empty  sets  of 
erased  variables.  The  command  sljreach  phi  em_Spec  s  computes  the  predicate  phi  = 
i?eac/i (em_Spec).  The  parameter  s  of  this  and  other  commands  means  “silent”,  i.e.,  no 
diagnostic  information  is  printed.  The  rest  of  the  script  checks  that  em_P  ||  em_Q  |=  Dphi 
using  rule  (5).  First,  the  commands  sljreach  and  sljrestrict  are  used  to  compute  rp  = 
i?eac/i (em_P)  and  Prest  =  (em_P&:rp).  Then,  the  command  sl_erase  erases  a  specified  list 
of  variables  from  Prest,  producing  the  extended  module  Pabs.  As  discussed  earlier,  the 
command  sl_erase  performs  no  actual  computation,  but  simply  adds  the  specified  variables 
to  the  list  of  erased  variables.  The  extended  module  Qabs  is  constructed  in  an  analogous 
fashion.  Finally,  the  command  sl_compose  composes  Pabs  and  Qabs  into  a  single  extended 
module  Rabs,  which  is  checked  against  the  specification  Dphi  by  command  sl_checkinv. 

Apart  from  these  commands,  we  also  have  implemented  commands  including 
sl_wcontr  and  sl_contrreach,  which  together  compute  the  predicate  CR{P,(p)  given  a 
module  P  and  a  predicate  (p. 
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5  Experimental  Results 


To  demonstrate  the  effectiveness  of  the  proposed  approach  to  modular  verification,  we 
compare  the  time  and  memory  requirements  of  global  state-space  exploration  with  those 
of  rule  (5)  and  rule  (6).  We  do  not  compare  our  approach  with  other  modular  verification 
approaches,  since  these  approaches  involve  user  intervention  for  the  construction  of  the 
environments.  By  manually  constructing  the  environments  or  the  abstractions  it  is  possible 
to  improve  on  our  results. 

We  consider  three  examples:  a  demarcation  protocol  used  in  distributed  databases,  a 
token-ring  arbiter,  and  a  sliding-window  protocol  for  data  communication.  All  experiments 
have  been  run  on  a  233  MHz  Pentium®  II  PC  with  128MB  memory  running  Linux.  We 
report  the  memory  usage  by  giving  the  maximum  number  of  BDD  nodes  used  in  any  fixpoint 
computation  or  predicate;  this  is  essentially  the  maximum  number  of  BDD  nodes  used  at 
any  single  time  during  verification.  We  also  report  the  total  CPU  time;  this  time  does 
not  include  swap  activity  (swap  activity  was  in  any  case  very  limited  for  all  examples 
reported).  The  automatic  variable  reordering  heuristics  of  Mocha  were  enabled  during  the 
experiments.  We  remark  that  differences  in  time  or  memory  usage  of  up  to  a  factor  of  2  are 
not  significant,  since  they  can  easily  be  produced  by  a  variation  in  the  automatic  choice  of 
variable  ordering. 

5.1  Demarcation  protocol 

The  demarcation  protocol  is  a  distributed  protocol  aimed  at  maintaining  numerical  con¬ 
straints  between  data  residing  in  distributed  copies  of  a  database,  while  minimizing  the 
communication  requirements  [BGM92].  We  consider  an  instance  of  the  protocol  that  en¬ 
sures  that  two  databases,  residing  at  sites  1  and  2,  never  sell  more  than  the  maximum 
available  number  of  seats  m  aboard  a  plane.  The  variables  xi  and  X2  indicate  the  number 
of  seats  that  have  been  sold  at  sites  1  and  2.  Each  site  can  both  sell  seats,  and  receive  seats 
returned  due  to  cancellations.  In  order  to  minimize  the  communication  between  two  sites, 
each  site  i  =  1,2  maintains  a  variable  xli  indicating  the  maximum  number  of  seats  it  can 
sell  autonomously.  If  a  site  wishes  to  sell  more  seats  than  this  limit  allows,  the  site  can 
send  a  request  to  the  other  site  for  more  seats.  Depending  on  the  number  of  unsold  seats, 
the  other  site  has  the  option  of  rejecting  the  request,  or  of  granting  it  in  part  or  in  full. 

We  model  each  site  «  =  1,2  by  a  module  Pf,  the  specification  is  □[(xi  <  xli)  A  {x2  < 
XI2)  A  {xli  +  XI2  <  m)].  Each  of  Pi  and  P2  controls  20  variables,  of  which  8  are  used 
for  communication  with  the  other  module  or  appear  in  the  invariant,  and  12  are  internal. 
Rule  (5)  enable  the  erasure  of  9  of  these  12  variables  in  each  of  Pi  and  P2;  all  of  these 
variables  are  in  the  cone  of  influence  of  the  specification.  The  table  below  compares  the 
time  and  space  requirements  of  global  state  space  exploration  with  those  of  rules  (5)  and  (6), 
for  various  values  of  m.  To  check  the  robustness  of  rule  (5)  against  changes  in  the  system 
model,  we  also  wrote  an  alternative,  somewhat  more  complex  model  for  the  demarcation 
protocol.  Eor  m  =  4,  the  verification  of  the  alternative  model  required  136156  BDD  nodes 
and  2009  seconds  with  the  global  approach,  and  18720  BDD  nodes  and  211  seconds  with 
rule  (5). 
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Global 

Rule  (5) 

Rule  (6) 

m 

BDD  nodes 

seconds 

BDD  nodes 

seconds 

BDD  nodes 

seconds 

4 

20881 

97 

2847 

25 

8695 

75 

6 

64345 

439 

3338 

40 

20953 

218 

8 

179364 

1671 

8367 

81 

43915 

517 

10 

633102 

8707 

10475 

112 

65410 

1878 

12 

space-out 

— 

15923 

174 

93295 

1980 

14 

space-out 

— 

22205 

300 

145676 

3913 

5.2  Token  ring  arbiter 

The  second  example  is  a  synchronous  token-ring  arbiter.  It  involves  a  ring  of  m  stations, 
around  which  a  single  token  is  passed  unidirectionally  through  four-phase  handshake  pro¬ 
tocols.  The  invariant  states  that  there  is  at  most  one  token  present  in  the  stations.  A 
straightforward  invariant  would  involve  nearly  all  the  variables  in  the  system,  and  be  rather 
tedious  to  write.  Hence,  we  introduce  observer  modules  that  observe  the  number  of  tokens 
in  the  system.  To  enable  the  decomposition  of  the  ring  into  two  modules  Pi  and  P2  rep¬ 
resenting  the  half-rings,  we  introduce  two  such  observers,  one  for  each  half.  We  were  able 
to  erase  all  the  variables  used  for  the  internal  communications  and  state  of  the  half-rings, 
even  though  these  variables  clearly  belong  to  the  cone  of  influence  of  the  invariant.  Each 
half  ring  controls  1  +  5m/2  variables;  of  these,  all  but  4  could  be  erased.  Below  we  compare 
the  performance  of  global  state-space  exploration  and  of  rules  (5)  and  (6). 


Global 

Rule  (5) 

Rule  (6) 

m 

BDD  nodes 

seconds 

BDD  nodes 

seconds 

BDD  nodes 

seconds 

16 

657 

8 

979 

7 

608 

8 

20 

466 

10 

1619 

9 

308 

12 

24 

1138 

22 

1297 

26 

473 

20 

28 

1300 

39 

3486 

24 

519 

29 

32 

1187 

no 

3190 

143 

772 

143 

36 

1323 

611 

8230 

242 

1346 

195 

5.3  Sliding  window  protocol 

Our  last  example  is  a  classical  sliding  windows  protocol  from  [Hol91],  whose  encoding  is 
taken  from  the  MoCHA  distribution.  The  protocol  uses  send  and  receive  windows  of  size 
m,  and  it  is  composed  of  a  sender  module  and  a  receiver  module.  Our  invariant  states 
essentially  that  the  windows  are  not  over-run  by  the  protocols.  In  both  the  sender  and  the 
receiver,  roughly  half  of  the  variables  not  used  for  communication  with  the  other  module  can 
be  erased  when  applying  our  modular  approach.  The  comparison  between  the  performance 
of  global  state-space  exploration  and  rules  (5)  and  (6)  is  presented  below. 
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Global 

Rule  (5) 

Rule  (6) 

m 

HDD  nodes 

seconds 

HDD  nodes 

seconds 

BDD  nodes 

seconds 

3 

8992 

35 

776 

12 

2443 

33 

4 

11831 

99 

1723 

41 

3740 

42 

5 

36359 

1911 

3843 

84 

8503 

105 

6 

94684 

4994 

7048 

156 

18316 

500 

7 

95667 

2630 

8282 

513 

22289 

771 

8 

space-out 

— 

26611 

1582 

47605 

6245 

5.4  Discussion 

The  experimental  results  indicate  that  the  proposed  approach  leads  to  a  considerable  re¬ 
duction  in  the  time  and  space  requirements  for  the  verification  process. 

In  the  examples  we  considered,  we  identified  which  variables  could  be  erased  in  the 
application  of  rule  (5)  by  a  simple  trial-and-error  process.  We  can  automate  this  process  by 
providing,  for  each  module  P,  a  list  {xi, . . . ,  x^}  C  Cp  of  variables  of  P  that  are  not  part  of 
the  specification,  and  that  are  not  accessed  by  other  modules.  We  list  first  the  variables  that 
are  more  likely  to  be  successfully  erased:  those  that  are  more  “internal”  to  the  module,  and 
that  interact  with  fewer  other  variables.  We  then  apply  rule  (5)  successively  with  the  sets 
of  erased  variables  {xi, . . . ,  x^},  {xi, . . . ,  •  5  ■  ■  ■  i  until  the  rule  succeeds. 

This  process  is  efficient  in  practice.  In  fact,  the  more  variables  are  erased,  the  smaller  is  the 
state  space  of  the  abstract  modules:  hence  if  too  many  variables  are  erased,  the  rule  will 
fail  in  a  fraction  of  the  time  required  for  a  successful  proof. 

In  the  three  examples  considered,  the  stronger  reachability  predicates  used  to  construct 
the  abstract  modules  in  rule  (6)  did  not  enable  the  erasure  of  any  additional  variable.  In  the 
demarcation  protocol  and  in  the  sliding  window  protocol  examples,  the  ability  of  rule  (5) 
to  erase  variables  on  both  sides  of  the  parallel  composition  operator  led  to  superior  results 
compared  with  rule  (6).  In  the  token  ring  arbiter  example,  module  Pj  has  many  more 
reachable  states  in  a  completely  general  environment  than  in  an  environment  compatible 
with  the  specification,  for  i  =  1,2.  Hence,  the  predicates  Reach  (Pi)  are  much  weaker  (and 
take  more  time  and  space  to  compute)  than  the  predicates  CR{Pi,(p),  for  i  =  1,2.  For  this 
reason,  rule  (6)  performs  better  than  rule  (5)  in  this  example. 

If  the  premise  of  rule  (5)  does  not  hold,  we  can  construct  automatically  a  trace  over 
the  variables  in  leading  to  a  state  that  does  not  satisfy  cp.  This  trace  is 

a  trace  over  a  partial  set  of  system  variables,  and  it  does  not  necessarily  correspond  to  a 
counterexample  to  the  conclusion.  If  the  first  premise  of  rule  (6)  does  not  hold,  then  using 
facts  about  controllability  we  can  reconstruct  automatically  a  counterexample  trace  over 
the  complete  set  of  system  variables.  On  the  other  hand,  if  the  second  premise  of  rule  (6) 
does  not  hold  for  some  1  <  i  <  n,  then  we  obtain  a  trace  over  a  partial  set  of  system 
variables  that  leads  to  a  state  where  the  predicate  CR{Pi,(p)  does  not  hold.  Prom  tj, 
using  facts  about  controllability  we  can  again  construct  a  trace  over  the  complete  set  of 
system  variables  that  leads  to  a  state  where  cp  does  not  hold.  When  confronted  with  a  trace 
over  a  partial  set  of  variables,  we  have  taken  the  naive  approach  of  selectively  un-erasing 
some  variables  in  the  premises,  until  either  the  premises  became  valid,  or  the  design  error 
could  be  identified. 
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